P
US9979711B2ActiveUtilityPatentIndex 65

Authentication for VLAN tunnel endpoint (VTEP)

Assignee: CISCO TECH INCPriority: Jun 26, 2015Filed: Jun 26, 2015Granted: May 22, 2018
Est. expiryJun 26, 2035(~9 yrs left)· nominal 20-yr term from priority
Inventors:RAVINUTALA VEERA RAGHAVENDRA PRASADMITTAL ANUJSubramaniam SandeepBASAVANAKATTIMATHA SANJAY
H04L 63/0272H04W 80/02H04L 63/08H04L 63/1483
65
PatentIndex Score
2
Cited by
26
References
20
Claims

Abstract

A first network device configured as a first Virtual Local Area Network (VLAN) Tunnel Endpoint (VTEP) may receive a packet from a second network device. The first VTEP may determine that the second network device is a second VTEP and has not been established as a peer VTEP to the first VTEP. The first VTEP may maintain a status for the second network device as authentication pending, receive an authentication packet from the second network device and authenticating the second network device as a peer VTEP using the authentication packet.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A method comprising:
 at a first network device configured as a first Virtual Network Tunnel Endpoint (VTEP):
 receiving a packet from a second network device; 
 determining that the second network device is a second VTEP and has not been established as a peer VTEP to the first VTEP; 
 maintaining a status for the second network device as authentication pending; 
 if the first VTEP is configured to be in an active mode:
 sending an authentication request packet to the second network device; 
 receiving an authentication response packet from the second network device in reply to the authentication request packet; and 
 authenticating the second network device as a peer VTEP using the authentication response packet; 
 
 changing the status for the second network device to authenticated; and 
 adding the second network device as an authenticated peer VTEP. 
 
 
     
     
       2. The method of  claim 1 , further comprising:
 determining whether the first VTEP is configured to be in the active mode. 
 
     
     
       3. The method of  claim 1 , wherein sending the authentication request packet includes:
 sending the authentication request packet as a unicast frame. 
 
     
     
       4. The method of  claim 1 , further comprising:
 determining that the first VTEP is configured to be in a passive mode; and 
 determining that the authentication response packet is received on a multicast path with its destination being a multicast group address for a multicast group that the first VTEP has joined to serve Layer 2 broadcast traffic, unknown unicast traffic, and multicast traffic. 
 
     
     
       5. The method of  claim 1 , wherein the packet is a data packet, the method further comprising:
 before authenticating the second network device, buffering the data packet without accepting the data packet as legitimate data traffic; and 
 after authenticating the second network device, accepting the data packet as legitimate data traffic. 
 
     
     
       6. The method of  claim 1 , wherein the packet is a route update packet received on a control plane. 
     
     
       7. The method of  claim 1 , further comprising:
 starting a timer when the status for the second network device is marked as authentication pending, wherein 
 authenticating the second network device includes authenticating the second network device based on whether the timer has expired. 
 
     
     
       8. The method of  claim 1 , wherein authenticating the second network device includes determining that the authentication response packet indicates that the second network device has been configured with a predefined secret. 
     
     
       9. An apparatus comprising:
 one or more network ports to send/receive data packets to/from a communication network; and 
 a processor coupled to the network ports, and configured to:
 receive a packet from a network device; 
 determine that the network device is a Virtual Network Tunnel Endpoint (VTEP) and has not been established as a peer VTEP; 
 maintain a status for the network device as authentication pending; 
 if the apparatus is configured to be in an active mode:
 send an authentication request packet to the network device; 
 receive an authentication response packet from the network device in reply to the authentication request packet; and 
 authenticate the network device as a peer VTEP using the authentication response packet; 
 
 change the status of the network device to authenticated; and 
 add the network device as an authenticated peer VTEP. 
 
 
     
     
       10. The apparatus of  claim 9 , wherein the processor is further configured to:
 determine whether the apparatus is configured to be in the active mode. 
 
     
     
       11. The apparatus of  claim 9 , wherein the processor is further configured to:
 determine that the apparatus is configured to be in a passive mode; and 
 determine that the authentication response packet is received on a multicast path with its destination being a multicast group address for a multicast group that the apparatus has joined to serve Layer 2 broadcast traffic, unknown unicast traffic, and multicast traffic. 
 
     
     
       12. The apparatus of  claim 9 , wherein the packet is a data packet, the processor further configured to:
 before authenticating the network device, buffer the data packet without accepting the data packet as legitimate data traffic; and 
 after authenticating the network device, accept the data packet as legitimate traffic. 
 
     
     
       13. The apparatus of  claim 9 , wherein the processor is further configured to:
 start a timer when the status for the network device is marked as authentication pending, wherein 
 the processor is configured to authenticate the network device based on whether the timer has expired. 
 
     
     
       14. The apparatus of  claim 9 , wherein the processor is configured to authenticate the network device by determining that the authentication response packet indicates that the network device has been configured with a predefined secret. 
     
     
       15. A non-transitory computer readable storage media encoded with instructions that, when executed by a processor of a first network device configured as a first Virtual Local Area Network (VLAN) Tunnel Endpoint (VTEP), cause the processor to:
 receive a packet from a second network device; 
 determine that the second network device is a second VTEP and has not been established as a peer VTEP to the first VTEP; 
 maintain a status for the second network device as authentication pending; 
 if the first VTEP is configured to be in an active mode:
 send an authentication request packet to the second network device; 
 receive an authentication response packet from the second network device in reply to the authentication request packet; and 
 authenticate the second network device as a peer VTEP using the authentication response packet; 
 
 change the status of the second network device to authenticated; and 
 add the second network device as an authenticated peer VTEP. 
 
     
     
       16. The non-transitory computer readable storage media of  claim 15 , further comprising instructions to cause the processor to:
 determine whether the first VTEP is configured to be in the active mode. 
 
     
     
       17. The non-transitory computer readable storage media of  claim 15 , further comprising instructions to cause the processor to:
 determine that the first VTEP is configured to be in a passive mode; and 
 determine that the authentication response packet is received on a multicast path with its destination being a multicast group address for a multicast group that the first VTEP has joined to serve Layer 2 broadcast traffic, unknown unicast traffic, and multicast traffic. 
 
     
     
       18. The non-transitory computer readable storage media of  claim 15 , wherein the packet is a data packet, the non-transitory computer readable storage media further including instructions to cause the processor to:
 before authenticating the second network device, buffer the data packet without accepting the data packet as legitimate data traffic; and 
 after authenticating the second network device as a peer VTEP, accepting the data packet as legitimate data traffic. 
 
     
     
       19. The non-transitory computer readable storage media of  claim 15 , further comprising instructions to cause the processor to:
 start a timer when the status for the second network device is marked as authentication pending, wherein 
 the instructions to cause the processor to authenticate the second network device include instructions to cause the processor to authenticate the second network device based on whether the timer has expired. 
 
     
     
       20. The non-transitory computer readable storage media of  claim 15 , wherein the instructions to cause the processor to authenticate the second network device include instructions to cause the processor to determine that the authentication response packet indicates that the second network device has been configured with a predefined secret.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.